lshell is a shell coded in Python, that lets you restrict a user's environment to limited sets of commands, choose to enable/disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing restriction, and more.
GNU General Public License v3.0
436
stars
112
forks
source link
Aliased command calls the actual command when after a pipe #96
example:
I have this aliases line in my config:
aliases : {'ssh': 'limited_user_teleport', 'awk': 'gawk'}
ben:~$ ssh usage: limited_user_teleport [-h] [-l [FILTER]] SERVER [COMMAND...] ben:~$ echo
ben:~$ echo | ssh usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] * ssh help message cut off -- you get the point *
While I understand that linux aliases only work at the beginning of the command, it seems like only one of the following should be true:
This seems like a pretty big security flaw. I'll investigate more in the morning, maybe send a pull.